Tripwire
Builds a database of the interesting unchanging parts of your filesystem (kernel, binaries etc)
Needs somewhere the database can be physically secured (read-only disk etc.) for safety
Run periodic reports to see if system has been interfered with
Looks easy to run; planning which parts of the filesystem need securing requires some work
Not currently in use but being seriously considered
Notes:
Tripwire builds a database that records information about the contents and directory entries of the indicated parts of your filesystem. It can be used at subsequent times to verify whether any unauthorised changes have occurred.
To be effective, you MUST be sure that you are initially running it on a clean system (no point in checkpointing a system that has already been compromised!), and you MUST keep the database somewhere that hackers cannot possibly interfere with it (a physically read-only file system would be ideal).
It was easy to build and looked easy to run; the hard part is planning which parts of your filesystem need to be defended, and working out a way of keeping the database secure.
We are definitely interested in this tool.